使用Nginx安装和配置Drupal 8,并使用CentOS 8加密

使用Nginx安装和配置Drupal 8,并使用CentOS 8加密

Drupal是一个免费的,开源的,可扩展的内容管理系统,个人可以使用它来创建和管理各种网站。用PHP编写,并使用MySQL / MariaDB存储数据。 Drupal提供了丰富的功能集,可以扩展成千上万个附加组件。 Drupal支持许多Web服务器,包括Apache,Nginx,IIS,Lighttpd和数据库MySQL,MariaDB,MongoDB,SQLite,PostgreSQL和MS SQL Server。 Drupal带有一个简单易用的Web UI,使您无需任何编码知识即可创建网站。

本教程显示如何在CentOS 8服务器上安装Drupal 8并使用“让我们加密免费的SSL”保护它的安全。

要求条件

  • 运行CentOS的服务器8。
  • 服务器IP指向的有效域名
  • 根密码是在服务器上设置的。

安装Nginx,MariaDB,PHP

在开始之前,您需要在服务器上安装LEMP服务器。您可以通过运行以下命令进行安装:

dnf install nginx mariadb-server php php-fpm php-cli php-mbstring php-gd php-xml php-curl php-mysqlnd php-pdo php-json php-opcache -y

安装完成后,启动Nginx,MariaDB和php-fpm服务,以便在系统重新引导后使用以下命令启动它们:

systemctl start nginx systemctl start php-fpm systemctl start mariadb systemctl enable nginx systemctl enable php-fpm systemctl enable mariadb

配置数据库

默认情况下,MariaDB是不安全的,需要安全。您可以通过运行以下命令来确保安全性:

mysql_secure_installation

回答所有问题,如下所示。

Enter current password for root (enter for none):
Set root password? [Y/n] Y
New password:
Re-enter new password:
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y

完成后,使用以下命令登录到MariaDB shell:

mysql -u root -p

在出现提示时输入root密码,并使用以下命令创建Drupal数据库和用户:

MariaDB [(none)]> CREATE DATABASE drupaldb CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci; MariaDB [(none)]> CREATE USER [email protected] IDENTIFIED BY "password";

接下来,使用以下命令为drupaldb授予所有特权:

MariaDB [(none)]> GRANT ALL ON drupaldb.* TO [email protected] IDENTIFIED BY "password";

接下来,刷新特权并使用以下命令退出MariaDB shell:

MariaDB [(none)]> FLUSH PRIVILEGES; MariaDB [(none)]> EXIT;

下载Drupal

首先,您需要从官方网站下载最新版本的Drupal。您可以使用以下命令下载它:

wget https://ftp.drupal.org/files/projects/drupal-8.7.10.tar.gz

下载后,使用以下命令解压缩下载的文件:

tar -xvzf drupal-8.7.10.tar.gz

接下来,使用以下命令将提取的目录移动到Nginx Web根目录:

mv drupal-8.7.10 /var/www/html/drupal

接下来,创建一个目录来存储您的网站文件,并重命名default.settings.php文件,如下所示。

mkdir /var/www/html/drupal/sites/default/files cp /var/www/html/drupal/sites/default/default.settings.php /var/www/html/drupal/sites/default/settings.php

接下来,将Drupal目录的所有权更改为nginx,如下所示。

chown -R nginx:nginx /var/www/html/drupal/

为Drupal配置Nginx

首先,使用以下命令创建Drupal php-fpm配置文件:

nano /etc/php-fpm.d/drupal.conf

添加以下行:

[drupal]
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
listen = /run/php-fpm/drupal.sock
pm = ondemand
pm.max_children =  50
pm.process_idle_timeout = 10s
pm.max_requests = 500
chdir = /

完成后,保存并关闭文件。接下来,创建一个Drupal Nginx虚拟主机配置文件。

nano /etc/nginx/conf.d/drupal.conf

添加以下行:

server {
    listen 80;
    server_name example.com;

    root /var/www/html/drupal;

    access_log /var/log/nginx/example.com.access.log;
    error_log /var/log/nginx/example.com.error.log;

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location ~ ..*/.*.php$ {
        return 403;
    }

    location ~ ^/sites/.*/private/ {
        return 403;
    }

    # Block access to scripts in site files directory
    location ~ ^/sites/[^/]+/files/.*.php$ {
        deny all;
    }
    location ~ (^|/). {
        return 403;
    }

    location / {
        try_files $uri /index.php?$query_string;
    }

    location @rewrite {
        rewrite ^/(.*)$ /index.php?q=$1;
    }
    location ~ /vendor/.*.php$ {
        deny all;
        return 404;
    }


    location ~ '.php$|^/update.php' {
        fastcgi_split_path_info ^(.+?.php)(|/.*)$;
        include fastcgi_params;
       	# Block httpoxy attacks. See https://httpoxy.org/.
        fastcgi_param HTTP_PROXY "";
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param QUERY_STRING $query_string;
        fastcgi_intercept_errors on;
        fastcgi_pass unix:/run/php-fpm/drupal.sock;
    }
    location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
        try_files $uri @rewrite;
    }

    # Handle private files through Drupal. Private file's path can come
    # with a language prefix.
    location ~ ^(/[a-z-]+)?/system/files/ { # For Drupal >= 7
        try_files $uri /index.php?$query_string;
    }

    location ~* .(js|css|png|jpg|jpeg|gif|ico|svg)$ {
        try_files $uri @rewrite;
        expires max;
        log_not_found off;
    }
}

保存并关闭文件。接下来,重新启动php-fpm和Nginx服务以应用更改。

systemctl restart php-fpm systemctl restart nginx

配置SELinux和防火墙

默认情况下,CentLinux 8已启用SELinux。因此,您需要配置SELinux才能使Drupal正常工作。

首先,允许Drupal使用以下命令写入公共和私有文件目录:

semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/drupal(/.*)?" semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/drupal/sites/default/settings.php' semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/drupal/sites/default/files' restorecon -Rv /var/www/html/drupal restorecon -v /var/www/html/drupal/sites/default/settings.php restorecon -Rv /var/www/html/drupal/sites/default/files

接下来,启用Drupal使用以下命令发送外发邮件:

setsebool -P httpd_can_sendmail on

接下来,您需要创建防火墙规则,以允许来自外部网络的HTTP和HTTPS服务。您可以使用以下命令执行此操作:

firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https firewall-cmd --reload

让我们加密SSL保护Drupal

Drupal已安装并配置。是时候使用Let’s Encrypt的免费SSL进行保护了。

为此,您需要在服务器上下载certbot客户端。您可以运行以下命令来下载并设置正确的权限:

wget https://dl.eff.org/certbot-auto mv certbot-auto /usr/local/bin/certbot-auto chown root /usr/local/bin/certbot-auto chmod 0755 /usr/local/bin/certbot-auto

接下来,运行以下命令以获取并安装Drupal网站SSL证书:

certbot-auto --nginx -d example.com

上面的命令将首先在服务器上安装所有必需的依赖项。安装完成后,将提示您输入电子邮件地址并接受条款和条件,如下所示。

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y 


Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/drupal.conf

接下来,您需要选择是否将HTTP流量重定向到HTTPS,如下所示。

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

输入2并按Enter继续。安装完成后,您将看到以下输出:

Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/drupal.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-03-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

访问Drupal网站

然后打开网络浏览器并输入URL https://example.com。您将被重定向到下一页。

选择您的首选语言,然后单击 保存并继续 按钮应显示以下页面。

选择安装配置文件

选择一个安装配置文件,然后单击 保存并继续 按钮应显示以下页面。

数据库配置

指定数据库详细信息,然后单击 保存并继续 按钮应显示以下页面。

配置您的网站

输入您的站点名称,管理员用户名和密码,然后单击 保存并继续 按钮下一页显示Drupal仪表板。

欢迎来到Drupal网站

恭喜你!在CentOS 8服务器上成功安装并保护了Drupal。

Sidebar